The present invention is related to a technology of a remote diagnosis, and in particular, to a method and a computer program product for providing a remote diagnosis for an information appliance via a secure connection and an information appliance for performing the method.
An information appliance, also known as an Internet Appliance, is usually built-in with networking capability and is a device capable of performing a specific function, such as a gateway, a router, an attached network storage, an access point, a digital TV set top box, or a web-based file sharing server. The conventional appliances can be referred to IBM® WebSphere® DataPower Series SOA Appliances, or Tivoli® ISS Appliances, wherein “IBM”, “WebSphere”, and “Tivoli” are registered trademarks own by International Business Machine in the United States and/or the other countries.
Unlike general-purpose computer devices, information appliances are designed to serve a specific purpose or provide a specific service so as to carry out a specific transaction and have high performance. Unlike general-purpose computer devices, information appliances are relatively closed, as they operate by means of a specific operating system and applications (or drivers) in accordance with the intended purpose and service.
A cluster which consists of a plurality of information appliances and is characterized by reliability, availability & serviceability (RAS) is important for the configuration of information appliances in order to ensure that a plurality of servers or information appliances can meet business needs. The aforesaid feature is especially true to those information appliance products which function as the enterprises' processing units located at a demilitarized zone (DMZ).
The network interface card (NIC) of a typical information appliance is usually equipped with an administrative port or a serial port via which a network system administrator diagnoses a system-related problem or failure. In general, the network interface card provides a system on chip (SOC) or an application-specific integrated circuit (ASIC) to build a TCP/IP connection with a TCP/IP stack. By means of the TCP/IP stack, the information appliance can create the TCP/IP connection regardless of the operating system of the information appliance. After connecting to the administrative port or the serial port, the network system administrator carries out diagnosis and troubleshooting via a console starts the operating system of the information appliance.
For the sake of security, the administrative port or the serial port is seldom (remotely) accessible to ordinary users. If an information appliance crashes and thus fails or is confronted with a system-related problem, i.e., a malfunctioning system, the administrator will have to enter the server machine room and log in to the information appliance directly via the administrative port or the serial port so as to carry out diagnosis and troubleshooting. Hence, it is advantageous to allow the administrator to remotely diagnose a problem in a convenient and secure manner.
However, it is not an easy task to remotely diagnose a failed information appliance. This is particularly true when the information appliance is located at a DMZ and serves as a reverse proxy for transmitting client data to a subsequent network server for a backend application, because it is likely to confront an apparatus (such as a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS)) which exists in the DMZ and performs network security. Accordingly, it is more difficult to carry out remote diagnosis in the DMZ. Owing to a lack of facilities of remote diagnosis, a technical support engineer has to physically access the failed information appliance, and thus the technical support engineer or a service team must be dispatched to a data center at a client end to execute routines of basic maintenance services. Furthermore, prolonged downtime of a failed system imposes a great impact on business.
Solutions are available nowadays to perform diagnosis, for example, leveraging an additional hardware module, such as an integrated management module (IMM), for accessing the failed information appliance as a system kernel procedure is down. The IMM provides system administration functionality by means of IPMI 2.0. Nonetheless, the aforesaid technique is not applicable to the information appliances located at the DMZ or the information appliances with high security requirements. In the DMZ, various network attacks, such as dictionary attacks, may easily compromise the hardware module.